This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Using Kerberos credentials in a Pega application to authenticate and access external systems

This content applies only to On-Premises Services environments.

Kerberos is a network authentication protocol that secures client-server node communication by using secret-key cryptography. It is used to verify user identity on non-secure networks.

You can use a user's Kerberos credentials to connect to external systems and authenticate with them. For example, you can use the credentials obtained from the User Principal Name to authenticate to an LDAP directory. To use this functionality, you must store the operator Kerberos credentials anywhere on the clipboard on the Pega 7 Platform. However, the ATN logic in the engine code already stores the credentials on the pxRequestor clipboard page, which means that if a requestor contains a User Principal Name object, the Pega 7 Platform automatically stores it on the Requestor (pxRequestor) page in the property reference .pxSessionContext.pxUserPrincipalObject. This property allows the user to use the credential that is associated with this object in their application.

To use a user's Kerberos credentials to connect to an external system, complete the following tasks:

Creating a Kerberos authentication service

Create a special custom authentication service for Kerberos.

  1. Click Designer Studio > Org & Security > Authentication > Create Authentication Service.
  2. In the Type list, select Kerberos.
  3. In the Name field, press the Down Arrow key and select the name of the authentication service from the list KerberosAuth.
  4. Enter a short description of the authentication service.
  5. Click Create and open.
  6. On the Kerberos tab, in the Timeout activity field, press the Down Arrow key and select from the AuthenticationLDAPWebTimeout list.
  7. In the Authentication activity field, press the Down Arrow key and select from the pyAuthenticationKerberosCredentials list.

    If you are not using SPNEGO SourceForge, modify this activity code to retrieve GSSCredential from the pxRequestor clipboard page by using the implementation that you chose.

  8. In the JNDI Binding Parameters section, specify the Initial context factory field, for example, com.sun.jndi.ldap.LdapCtxFactory.
  9. Optional: Only if you are using LDAP, in the Directory field, enter the LDAP server information.
    1. In the Search Parameters section, in the User principal name attribute field, enter the LDAP attribute name that is used for the User Principal Name on the LDAP server.
    2. On the Mapping tab, in the Authentication Service rule form, map the .pyOrgUnit, .pyOrganization, .pyOrgDivision, and .pyUserName properties to the related LDAP attributes. The Pega 7 Platform must have corresponding Organization, OrganizationUnit, and OrganizationDivision records.
  10. Click Save.

Authentication with Kerberos credentials

In the KerberosAuth rule form, use the pyAuthenticationKerberosCredentials activity as the authentication activity.

The pyAuthenticationKerberosCredentials activity validates Kerberos credentials and creates an operator instance for a Kerberos user. The activity uses the SPNEGO SourceForge implementation to retrieve the GSSCredential object from the pxRequestor clipboard page that is stored in the .pxSessionContext.pxUserPrincipalObject property. It uses the GSSCredential for LDAP binding. If you are not using SPNEGO SourceForge, modify this activity to retrieve the GSSCredential by using your Kerberos implementation.

The following example uses Java code reflection to obtain the GSSCredential from the SPNEGO principal:

If you are not using SPNEGO SourceForge, modify the IF block code by using your implementation.

ClipboardPage cp = tools.findPage("pxRequestor", true);


Method m = cp.getObject(".pxSessionContext.pxUserPrincipalObject").getClass().getMethod("getDelegatedCredential", null);

// Get user GSSCredential from pxRequestor page

GSSCredential gsscredential = (GSSCredential)m.invoke(cp.getObject(".pxSessionContext.pxUserPrincipalObject"), null);



oLog.error("pxRequestor page has unsupported SPNEGO principal");


Hashtable props = new Hashtable(11);

props.put(INITIAL_CONTEXT_FACTORY, “com.sun.jndi.ldap.ldapctxfactory”);

props.put(PROVIDER_URL, “ldap://localhost:389”);

props.put(javax.naming.Context.SECURITY_AUTHENTICATION, "GSSAPI");

// use GSSCredential to create LDAP Directory context

props.put(, gsscredential);

DirContext ctx = new InitialDirContext(props);

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.